Event details
72 Comments
Is it correct, that the mentioned high confidence list update in June will not be applied to the devices, if they install the June cumulative hotpatch update?
I am confident that it is correct (the March and May hotpatch updates did not include BucketConfidenceData.cab either)
Once released, you can check by downloading the list of affected files linked in the kb article and check whether BucketConfidenceData.cab is in there.
You can follow the instructions at
to manually deploy the high confidence data on hotpatched machines.
Could you please clarify
- What is the impact on servers where Secure Boot and vTPM are enabled, if the PK certificate is not updated but the CA 2023 certificates are present
- Will Secure Boot and vTPM continue to function as expected, and will the servers be able to receive new security protections, boot manager updates, and revocation lists
- Are there any operational or compliance risks we should be aware of in this scenario
What ca we do to help change the confidence level from temporarily paused to an ok confidence level, like under observation or high confidence?
How can we know what is causing the confidence level to be temporarily paused, so that we know if we can do something on our end to do the update.What is the recommendation for the example scripts placed in the secure boot folder with May updates? Why have only some systems received the folder?
This is just a hunch, but I suspect that devices that only got the May HotPatch update excludes that folder as that would be considered a non-security/quality update.
Versus machines that got the "full" May LCU would have.
Again that's a hunch, but I suspect that's the case. My home system has the folder. My work system (which is getting Hotpatches) doesn't.
- Mabel_Gomes
Microsoft
The May 2026 Windows security update for some versions of Windows introduced the folder and example scripts. This is the documentation in the KB release notes:
- "This update adds a new SecureBoot folder under C:\Windows on eligible devices. The folder contains example scripts intended for organizations with IT professionals who actively manage updates across their device fleet. These scripts can be used to detect Secure Boot certificate update status and automate deployment via a safe rollout mechanism in an Active Directory environment. For more information, see Sample Secure Boot E2E Automation Guide."
Updates for these Windows versions included the scripts: Windows 10, version 22H2 and version 21H2, Windows Server 2019, Windows 10 Enterprise LTSC 2019, Windows Server 2016, Windows 10 Enterprise LTSC 2016, Windows 11 version 23H2, Windows 11 version 24H2, Windows Server 2025, Windows Server 2022.
These scripts are documented at:
Monitoring Secure Boot certificate status with Microsoft Intune remediations - Microsoft Support
I work for a small company and all our rollouts for the update have gone well for user workstations, however I am having difficulty updating windows server 2016 VM's. They are returning an error:
"The Secure Boot update failed to update a Secure Boot variable with error The parameter is incorrect." Event ID 1796
I have not been able to find a solution for this as it is so vague, are there any troubleshooting steps to take to identify the actual problem?dupe. Answered it on the other one.
What can be done so that working devices with secureboot working and reporting everything in all other Intune features are seen as certificate status unknown and nothing in trust/confidence etc in the secureboot report.
We have about a 3rd of devices in that situation
Device are the 1801 eventsHello, for the renewal of a fleet of 1000 workstations via MECM, what is the best approach/method? Thank you.
Can devices that have SecureBoot off get the SecureBoot updated? Or do they need SecureBoot enabled, then get the update? Assuming these computers are able to have SecureBoot turned on.
- Mabel_Gomes
Devices must have Secure Boot turned on to receive the certificate updates. You can learn more about this topic at 0:26 and 0:32 in the recording above.
Unsure if this would be a Microsoft specific question, however, we have several Virtual Machine running on VMware that need their Secure Boot certificates updated. VMware currently does not have an automated way to update the Platform Key for vTPM enabled systems. They report they are working with Microsoft to develop an automated way to deploy the updated the certificates. Do you know if there is an ETA for this process, or would this question be better targeted towards Broadcom?
Thanks,For pushing required firmware updates with Intune, are the updates going to automatically become recommended updates? Or are they in Other Drivers?
